Hello, From: Matt Kettler <[EMAIL PROTECTED]> Subject: Re: Couple of newbie questions... (repost) Date: Mon, 06 Feb 2006 18:59:34 -0500
(snip...) > Consider this porn spam: > > Return-Path: <[EMAIL PROTECTED]> > Received: from bgp01061386bgs.taylor01.mi.comcast.net > (bgp01061386bgs.taylor01.mi.comcast.net [68.40.7.208]) > by xanadu.evi-inc.com (8.12.8/8.12.8) with SMTP id jBRAKsEn012564 > for <[EMAIL PROTECTED]>; Tue, 27 Dec 2005 05:21:12 -0500 I have some ideas catching spams come from 'comcast.net' dynamic IP. (1) updates 'HELO_DYNAMIC_COMCAST' #--- header HELO_DYNAMIC_COMCAST2 X-Spam-Relays-Untrusted =~ /helo=c-\d{2,3}(-\d{1,3}){3}\.hsd1\.\w\w\.comcast\.net .+ident= envfrom= intl=0 .+auth= / describe HELO_DYNAMIC_COMCAST2 Relay HELO'd using suspicious hostname (Comcast) score HELO_DYNAMIC_COMCAST2 2.800 2.800 3.237 3.500 #--- In '20_fake_helo_tests.cf', HELO_DYNAMIC_COMCAST is obsolete, I think. Comcast's FQDNs format are updated, almost all FQDNs are: | $ host 68.40.7.208 | Name: c-68-40-7-208.hsd1.mi.comcast.net | Address: 68.40.7.208 (2) make site-local rules Ex. All mails come to me are passed through receiver MTA 'mail.flcl.org'. So, I writes: #--- # Attention: Do not copy & paste below rules solely! # You MUST re-write 'by=', your receiver MTA! header DIRECTCOMCAST X-Spam-Relays-Untrusted =~ /rdns=c-\d{2,3}(-\d{1,3}){3}\.hsd1\.\w\w\.comcast\.net .+ by=mail\.flcl\.org ident= envfrom= intl=0 .+auth= / describe DIRECTCOMCAST directly received spam from COMCAST score DIRECTCOMCAST 1.0 meta ___DCN RAZOR2_CHECK || PYZOR_CHECK || DCC_CHECK meta DIRECTCOMCASTDCN ___DCN && DIRECTCOMCAST score DIRECTCOMCASTDCN 3.5 meta DIRECTCOMCAST99 BAYES_99 && DIRECTCOMCAST score DIRECTCOMCAST99 3.5 meta ___SURBL URIBL_AB_SURBL || URIBL_OB_SURBL || URIBL_PH_SURBL || URIBL_SC_SURBL || URIBL_WS_SURBL || URIBL_JP_SURBL || URIBL_SC2_SURBL || URIBL_XS_SURBL meta DIRECTCOMCASTSURBL ___SURBL && DIRECTCOMCAST score DIRECTCOMCASTSURBL 2.0 #--- First rule is detecting directly sent mail from dynamic IPs to my receiver MTA. But, it's just a probability of spams. So, I use meta rules for strictly detecting spams. > Also, comcast's cablemodem users are the biggest problem, as they're readily > infected by viruses. Comcast is usually fairly good about having RDNS for all > these. But, almost all IPs on comcast.net are set FQDNs. So, comcast.net's IPs are easier to decide whether dynamic IPs or not than asian ISPs IPs. -- Nothing but a peace sign. MATSUDA Yoh-ichi(yoh) mailto:[EMAIL PROTECTED] http://www.flcl.org/~yoh/diary/ (only Japanese)